Created
February 2, 2016 06:11
-
-
Save anonymous/5e514ad3604c29dd9357 to your computer and use it in GitHub Desktop.
X509-SSL-Setup Couchbase
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create CA | |
mkdir root | |
cd root | |
openssl genrsa -out ca.key 2048 | |
openssl req -new -x509 -days 3650 -sha256 -key ca.key -out ca.pem -subj '/C=UA/O=My Company/CN=My Company Root CA' | |
# Create Intermediate | |
mkdir ../int | |
cd int | |
openssl genrsa -out int.key 2048 | |
openssl req -new -key int.key -out int.csr -subj '/C=UA/O=My Company/CN=My Company Intermediate CA' | |
# Create configuration file for openssl | |
cat <<EOF > v3_ca.ext subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true EOF | |
# CA signs Intermediate | |
openssl x509 -req -in int.csr -CA ../root/ca.pem -CAkey ../root/ca.key -CAcreateserial -CAserial rootCA.srl -extfile v3_ca.ext -out int.pem -days 365 -sha256 | |
# Verify the intermediate-root chain | |
openssl verify -CAfile ../root/ca.pem int.pem | |
openssl x509 -in int.pem -text | |
# Create node certificate | |
mkdir ../node | |
cd node | |
openssl genrsa -out pkey.key 2048 | |
openssl req -new -key pkey.key -out pkey.csr -subj '/C=UA/O=My Company/CN=127.0.0.1' | |
openssl x509 -req -in pkey.csr -CA ../int/int.pem -CAkey ../int/int.key -CAcreateserial -CAserial intermediateCA.srl -out pkey.pem -days 365 -sha256 | |
# Verify the node-intermediate-root chain | |
openssl verify -verbose pkey.pem | |
openssl verify -untrusted ../int/int.pem pkey.pem | |
openssl verify -untrusted ../int/int.pem -CAfile ../root/ca.pem pkey.pem | |
# Generate chain file – Lowest goes first not including CA | |
cat pkey.pem ../int/int.pem > chain.pem | |
# Copy to inbox couchbase folder | |
cp chain.pem /Users/don/Library/Application\ Support/Couchbase/var/lib/couchbase/inbox/ | |
cp pkey.key /Users/don/Library/Application\ Support/Couchbase/var/lib/couchbase/inbox/pkey.pem | |
# Chmod files so couchbase can read | |
cd /Users/don/Library/Application\ Support/Couchbase/var/lib/couchbase/inbox/ | |
chmod 777 chain.pem | |
chmod 777 pkey.pem | |
# Setup Couchbase -- load cluster cert | |
cd ../root | |
curl -X POST --data-binary "@./ca.pem" http://Administrator:password@127.0.0.1:8091/controller/uploadClusterCA | |
# Load node certs | |
curl -X POST http://Administrator:password@127.0.0.1:8091/node/controller/reloadCertificate | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment